Hello all! Having worked for a while with various computer systems, primarily Active Directory and Exchange, I wanted to share some of my experiences with two objectives in mind: 1) obtain feedback to improve my mastery of those systems and 2) help others working on the same subject. Other posts are about CentOS, Citrix NetScaler, and VMware.
NOTE: most of my posts are in English but some others in French, with a summary in English. However, some of the CentOS blog posts lack this summary.

Sunday, January 12, 2014

In my previous blog post, I restored a number of deleted Active Directory objects (users) with an "authoritative restore".

This was a two-part operation.

I first restored the entire system state (which may seem excessive for so few objects) and secondly performed the authoritative restore with ntdsutil.

It worked.

This procedure has been the traditional response to the accidental deletion of objects in Active Directory since its inception in 2000. We used ntbackup instead of Windows Server Backup and the syntax for ntdsutil has changed. For the most part, however, the general procedure has remained the same.

Since Windows 2008 R2 we have another option: the Active Directory Recycle Bin. Unfortunately, at least for those uncomfortable with the command line, this tool relied on PowerShell cmdlets. There was no GUI. One could not simply look for deleted objects in the recycle bin, select them, and click "Restore".

Windows Server 2012 improves the Active Directory Recycle Bin with the addition of a graphical user interface. This is the version that I will explore in the following lines. It will also constitute "Part 2" in my series of blog posts dedicated to backup and restore of Active Directory objects.

Use of the improved recycle bin has these pre-requisites:

At least one domain controller running Windows 2012 Server.

Forest Functional Level at Windows 2008 R2.

The recycle bin feature must be enabled.

In my practice environment, the first two pre-requisites have already been met: we have a Windows 2012 server and I've just raised the FFL to Windows 2008 R2.

Next, I'll enable the Recycle Bin. We can do this in the Active Directory Administrative Center by right-clicking on the domain icon and selecting the "Enable Recycle Bin" option:

A message informs us that the change is irreversible: we cannot disable the Recycle Bin once enabled:

We then must restart ADAC:

Note: if the FFL was not at Windows 2008 R2 (or above) we could not enable the Recycle Bin. The option would be grayed out:

At this point we can test the feature. As in my previous blog post where the authoritative restore option was used, I'll delete a user - and then attempt to restore it from the Recycle Bin. Here is the status quo before deletion:

So, I delete user Aisha Bhari:

On the partner domain controller (a Windows 2008 R2 server), I verify that replication has taken place and that the user has indeed been deleted:

Restoring the user is rather simple. Enabling the Recycle Bin creates a new container in ADAC: Deleted Objects. If we want to restore an object, we open this container and find the object in question:

We right-click on the object and select restore:

We have a second option as well: Restore To

This can be used if we want to restore the object to a different container, perhaps if the original container no longer exists:

The results are immediate on the Windows 2012 server and almost immediate on the Windows 2008 R2 server as well. Replication does its work and Aisha Bhari is back:

Even better (as with the authoritative restore in the previous blog post), group membership is re-established:

In my opinion at least, this is a much faster and efficient method to restore Active Directory objects, especially since the arrival of the Windows Server 2012 graphical interface.

One word of caution however: deleted objects remain in the Deleted Objects folder for the duration of the tombstone lifetime, 180 days by default (since Windows 2003 SP1 - 60 days with earlier OS versions). After that period, the object will be purged from the Deleted Objects folder.

As a side-note - or end-note - I was curious to see if a restore from the Recycle Bin would modify the USN of the restored object. So I deleted and restored another user, Alan Reid, and this time noted the USN "before and after".

Before:

After:

Between the deletion of the object and the restoration, about 5 minutes passed. The USN increased by 20,548 versions. I noted the time because with an authoritative restore, the USN is increased by 100,000 versions per day for each day since the last change to the object. I'm not certain what the calculation is for a restoration that would take place less than an hour after deletion or even if a Recycle Bin restore follows the same specifications.